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1.  INTRODUCTION 

We  define  a  system  for  describing  state  changes,  briefly  as  follows:  Our  intention  is  to  talk  about 
state  changes  in  a  generalized  machine;  that  is,  as  a  first  approximation,  state  change  means  a  new 
interpretation  of  constant  symbols  in  a  given  relational  structure.  The  language  for  describing  these 
state  changes  allows  sentences  of  the  following  kind,  called  "state  deltas,"  to  be  formed:  If  the  system 
is  in  a  state  satisfying  a  certain  "precondition"  and  certain  of  the  constant  symbols  (the 
"environment")  have  not  changed  since  a  given  previous  time,  then  there  is  a  later  time  at  which  the 
state  will  satisfy  a  certain  "postcondition"  and  during  the  elapsed  time  the  interpretations  of  only 
certain  specified  constant  symbols  (in  the  "modification"  list)  are  allowed  to  change.  This  restricted 
use  of  a  "since-during"  modality  is  one  of  the  special  features  of  this  approach. 

The  precondition  and  postcondition  may  themselves  be  (or  contain  as  conjuncts)  sentences  like 
the  above,  and  the  postcondition  may  contain  function  symbols  that  are  interpreted  as  referencing 
any  previous  values  of  constants.  The  ability  (necessity  here)  to  remember  previous  values  is  the 
other  special  feature. 

There  are  two  complementary  ways  to  interpret  the  use  of  state  deltas  as  subsentences  of  other 
state  deltas.  First,  from  the  viewpoint  of  an  omniscient  observer  with  the  whole  history  and  future  of 
state  changes  laid  out  before  him,  the  truth  of  any  state  delta  at  any  time  can  be  checked.  Or  from  the 
viewpoint  of  the  control  of  an  executing  program,  a  state  delta  can  be  understood  as  a  program,  and 
so  its  truth  at  a  certain  time  simply  means  that  that  program  is  available  for  execution. 

Our  formulation  is  directly  based  on  the  state  deltas  introduced  by  S.  Crocker  in  his  thesis  [1].  It 
also  bears  a  close  relation  to  elements  of  the  "sometimes  assertion"  method  [3]  with  a  restricted 
"during"  modal  operator,  and  a  more  distant  relation  to  the  work  of  Pratt  [5]  and  Pnueli  [4]  and  others 
in  modal  and  temporal  logic  as  applied  to  computer  science.  A  discussion  of  similar  ideas  as  applied 
to  natural  language  appears  in  Saarinen  [6], 
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The  reasons  for  focusing  on  this  particular  "during"  modality,  i.e.,  that  during  a  certain  interval 
certain  constants  do  not  change  value,  are  several:  first,  it  is  an  efficient  abbreviation  for  saying  that 
all  the  old  facts  known  about  the  unchanging  constants  are  still  true  in  the  new  state;  it  is  a  useful 
property  in  the  context  of  parallel  computations  to  know  that  certain  constants  (i.e.,  program 
variables)  have  not  changed  their  values  during  a  certain  interval,  and  thus  may  be  referenced  by 
some  other  process  any  time  in  that  interval.  This  is  of  course  stronger  than  just  knowing  that  the 
value  at  the  end  of  the  interval  is  the  same  as  at  the  beginning. 

A  system  for  checking  proofs  of  microcode  correctness  based  on  state  deltas  has  been 
implemented  at  USC  Information  Sciences  Institute  and  is  described  in  [2], 

2.  DEFINITIONS 

First  we  are  given  a  totally  ordered  set  A  =  <A,<>  with  minimum  element  START  <t,  for  all  t€A, 
and  no  maximal  element.  This  is  regarded  as  time,  along  which  the  state  of  a  computation  may 
change. 

Next  we  are  given  an  arbitrary  fi-st  order  language  L,  <€L,  and  an  L-model  B.  B  is  the  model  of  the 
"background  data  domain  and  architecture."  Let  U  be  a  finite  set  of  constant  symbols  with  QPlL  =  0. 
These  constants  are  the  "program  identifiers"  or  machine  "place  names.”  Here,  the  constants  are 
assumed  to  represent  disjoint  places.  Of  course,  it  is  possible  to  allow  places  to  intersect,  but  this 
adds  unessential  complications  to  the  presentation.  Finally  we  are  given  the  function  symbols 
(read  "dot"),  □,  and  Dn  for  n<wfrom  fi  to  the  universe  of  B.  You  may  think  of  dot  as  mapping  a 
place  to  its  (current)  "contents"  and  Dn  to  its  "n-th  previous  contents."  We  write  □  instead  of  □1 
(and  .  instead  of  D^)  Thus  Dc  is  the  previous  value  of  c.  Oz  is  the  value  before  that,  etc.  Let  L*  be 
LU{..D}Ufl.  and  L1  =  L*U{Dn:n<w}. 

A  word  on  the  utility  of  dot.  Essentially,  dot  is  a  way  of  making  explicit  the  interpretation  of  the 
elements  of  fl  in  B.  That  is,  instead  of  the  usual  assumption  that  the  program  change  the 
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interpretation  of  the  constant  symbols,  here  the  constants  do  not  change  their  interpretation  (i.e.. 
each  represents  one  piece  of  hardware  for  the  whole  computation),  but  rather  the  function  dot 
changes  its  values. 

We  consider  partial  (machine  or  program)  states,  in  the  sense  that  the  image  under  dot  of  some 
elements  of  Q  may  not  be  completely  specified.  However,  we  may  have  some  information  in  the  form 
of  a  set  of  sentences  S  of  Lr  By  assuming  that  the  elements  of  B  are  first-order  definable  in  B  (or  at 
least  that  this  is  true  for  the  elements  of  B  that  are  possible  images  of  [2  under  dot),  we  can  completely 
specify  .c  for  c££2  by  a  sentence  of  Lv  But  we  do  not  restrict  S  to  contain  only  defining  sentences  of 
this  form. 

Of  course  we  want  S  to  be  consistent  with  B.  In  addition,  there  may  be  a  set  of  sentences  T  of  L2D 
L1  that  we  want  to  hold  always  (in  all  partial  states),  and  S  must  also  be  consistent  with  T.  For 
example,  relations  such  as  the  length  of  a  place  (considered  as  a  register  in  a  machine)  or  inclusions 
among  several  places  are  "architectural"  facts  that  should  not  change  during  a  given  computation. 
Now  we  are  ready  for  the  definition. 

Definition:  A  partial  state  (for  the  system  with  "background"  model  B  and  "architecture"  sentences 
T)  is  a  set  S  of  sentences  of  Lr  closed  under  logical  deduction,  such  that  there  exists  an  expansion 
B*  of  BU£2  satisfying  B*h=  SUT,  where  £2  can  be  considered  just  as  the  set  £2  with  equality.  (See 
remark  below  for  an  alternative  to  demanding  closure  under  logical  deduction;  this  is  not  an  essential 
requirement:  in  implementations,  S  is  of  course  always  finite.)  Note  that  inside  a  given  partial  state 
there  is  no  restriction  on  the  relations  among  .  and  Dn  for  all  n.  But  see  (4)  and  (5)  below. 

Definition:  First-order  satisfaction  m  partial  states.  Let  S  be  a  partial  state  and  qc  be  a  sentence  in 
Lj.  S  I—  <p  ("qp  follows  from  S")  iff  for  every  expansion  B  of  BU£2  that  satisfies  B  N=SUT,  also  B  N=q;. 

So,  for  example,  if  <p  is  a  sentence  of  L,  then  SI— <p  iff  B  Nqp. 
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The  next  definition  generalizes  c£Cv 

Definition:  Let  C1  CO,  c£ft.  C1  determines  c  (with  respect  to  T)  if  there  are  c.,,...,cn£C  and  a 

function  f(x1 . xn)  definable  in  T  such  that  Tf— f(c1 . cn)  =  .c.  C1  determines  C2Cfl  if  for  every 

c€C2,  C,  determines  c. 

Thus,  if  the  values  (or  contents)  of  C1  are  preserved,  then  the  same  is  true  for  Cr. 

Definition:  A  state-delta  model  is  a  system  A  consisting  of  a  time  model  A  =  <A.<>,  a  background 
model  B  in  language  L  (for  every  t£A  a  partial  state  S  in  language  Ln)  a  set  of  sentences  T  in 
language  L2  (all  as  above),  and  in  addition  for  every  interval  I* [LX]  of  A,  a  subset  C,CO  (to  be 
thought  of  as  containing  those  constants  whose  contents  do  not  change  over  I)  such  that  (1)  through 
(5)  below  hold. 

(la)  If  ICJ.  then  CjCC,  (if  I  is  a  one-point  interval  or  if  it  is  empty,  then  C,  =  Q.)  (1b)  inj*0  implies 
CjnCjCC^j.  Notice  that  for  all  l,J  C^C^DC,^  already  follows  from  (la).  So  actually  we  have  that 
lflj*0  implies  C,nCj  =  C(UJ. 

Definition:  c£C  changes  value  (perhaps)  at  t1  if  there  exists  t  <t,  such  that  for  every  t,  tc<t<tv  c 
is  determined  by  Cjt  tj,  but  not  by  Cj,  ,  j. 

(2)  For  every  constant  c,  the  sequence  of  times  at  which  c  changes  is  of  order  type  <«,  and  if  it  is 
infinite,  then  it  is  cofinal  in  A. 

Definition:  c-1(t)  =  max({t':t'<t,  c  changes  at  t'}U{START})  and  c'(n  +  1)(t)  =  max({t':t'<c‘n(t),  c 
changes  at  t'}U{START}).  (Notice  c-1(t)  =  t  if  c  changes  at  t,  but  c(n  +  1t(t)<cn(t)  unless 
C  n(t)  =  START). 


cn(t)  =  min({t':t'>t,  c  changes  at  t'}U{«})  and  cn  +  1(t)  =  min({t':t'>cn(t),  c  changes  at  t'}U{w}). 
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(3)  If  v(cv...,cn)€St  ,  then  <p(c1 . cn)€St  for  all  t  such  that  c., . cn  do  not  change  between  t  and  t0 

(or  between  tQ  and  t);  that  is,  max{c1'1(t0) . cn'1(tQ))  <t<min{c11(tQ) . cn1(tQ)}. 

Now  we  come  to  state  the  connections  between  present  and  previous  values.  We  write  down  the 
condition  only  for  □  and  leave  the  obvious  but  messy  case  of  □  for  the  reader. 


W  lf<P<-ci . ck’Dck  +  i . Dcn>est  ’  lhen*t-ci . Vck+i . cm-Dcm  +  1 . Dcn>eSt  for  all  t  such 


that  max{c1'1(t0),...,ck‘1(t0),  cm+11(tQ) . cn\t0),c^\) . cm2(tQ))  <  t  <  min{ck  +  1*1(t0) 


(5)  If  <p(.c1 . ck,Dck  +  1 . Dcn)€S  ,  then  <p(.c1 . c.,Dc.  +  1 . □ck,Dck  +  1,...,Dcn)€St  for  all  t 

such  that  max{Cj+  ^(tjj) . ck1(t0)}<t<min{c11(t0) . ,cj1(t0),cj  +  12(t0) . c^g.c,^1^) . cn\t0)}. 

1.  Statement  (1)  says  that  a  constant  is  preserved  over  a  given  interval  I  iff  it  is  preserved 
over  each  two  nondisjoint  subintervals  whose  union  is  I. 


2.  Statement  (2)  outlaws  "Zeno  machine"  calculations  and  allows  you  to  count  backward  to 
the  nth  previous  change  of  a  constant. 

3.  Statement  (3)  says  that  if  the  values  (or  contents)  of  c^ . cn  are  (forced  to  be)  preserved 

during  an  interval,  then  every  partial  state  attached  to  a  time  in  that  interval  contains  the 
same  information  about  c„,...,c  . 

Remark  If  we  did  not  have  closure  under  logical  deduction,  we  would  have  to  write 

S*  f—  <p  and  S  I—®  instead  of  ®€S*  and  ®E S,  in  (3),  (4)  and  (5). 
o  1  o’ 

4.  Statement  (4)  says  that  all  the  information  about  previous  contents  is  derived  from 
previous  information  about  (then-)  present  contents. 

5.  Statement  (5)  says  that  when  the  contents  of  a  constant  changes,  whatever  was  known 
about  its  "present  contents"  (,)  is  now  known  about  its  "previous  contents”  (□). 


Now  we  define  state  deltas  (P,E=*Q.M)  which  will  mean  the  following:  if  P  is  true  in  a  certain 
"environment"  E,  then  Q  will  be  true  later,  and  along  the  way  the  values  of  constants  outside  M  were 
not  modified.  Note  that  =>  is  used  for  state  changes,  and  -*  for  logical  implication. 


We  allow  .  and  □  to  appear  in  state  deltas,  but  not  □  for  n>  1 .  In  addition,  a  first-order  sentence 
Q  containing  □  must  appear  in  the  postcondition  of  the  state  delta  immediately  containing  0,  This 
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conforms  to  the  view  that  □  (previous)  always  relates  to  the  value  at  the  time  of  the  precondition. 
This  also  explains  why  we  do  not  allow  dn  for  n>1.  A  state  delta  can  know  only  about  one  level  of 
"previous  "  The  conditions  on  dn  come  into  play  because  of  the  "nesting"  of  state  deltas.  We  will 
see  below  that  if  in  fact  c  did  not  change  from  the  time  of  the  precondition  to  the  time  of  the 
postcondition,  then  dc  in  the  postcondition  is  the  same  as  .c.  If  this  causes  a  contradiction,  then  the 
interpretation  is  that  the  computation  is  aborted.  For  example,  if  O  implies  that  ,c*dc.  but  c€M,  then 
when  (P,E=>Q,M)  is  "applied,"  the  computation  aborts. 

Definition:  SD,  the  set  of  state  deltas,  is  the  smallest  set  such  that 

1.  If  E.MCfi,  P,Q,  are  first  order  in  L  ,  P  does  not  have  an  occurrence  of  d,  then 
(P,E=>Q,M)€SD. 

2.  If  E.MCfl,  P,Q,€SD,  then  (P,E=>Q,M)£SD. 

3.  If  P,Q£SD,  then  PAQ,  PVQ,  ~iP  €SD. 


The  truth  value  of  a  state  delta  changes  as  a  function  of  time,  or  more  precisely  with  respect  to  S(. 
A  state  delta  may  be  viewed  as  a  formula  (P,E=>Q,M)(t). 

Satisfaction  for  state  deltas  is  defined  in  state  delta  models  A  ’  as  defined  above. 


First  we  have  to  tell  how  to  translate  an  occurrence  of  d  into  .  or  the  appropriate  dn. 


Definition:  Lett^t,,. 

1.  If  Q  is  first  order  in  L  ,  then  Q^  ^iis  the  sentence  of  Ln  obtained  from  Q  by  replacing 

every  occurrence  of  dc  by  dnc  where  n  is  the  number  of  times  c  changed  value  in  [t  ,t  ], 
or  by.c  ( =  dQc).  1  2 


2.  (P,E=»Q,M)jt  t  j  =  (P,E=^Q,M).  (no  change) 

3-  <PA0>IV2i ' p['1.yAQ[i1y  ,PV0)nvy  ■  pn,y  VQi.,  v  '-p'l,,.,2i  - 


Now  we  can  define 

A  N(P,E=>Q,M)(t0)  if  and  only  if 


i 
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(Vt,  >  tQ)  [(P<t,)  A  ECC[Vij  -  (3t2  >  t,)  (Q[ti  ,2)(t2)  A  2-MCC^  y)]. 


(Note:  The  above  definition  was  written  in  "logical  notation"  for  convenience.  It  is  not  implied  that 
this  is  really  a  first-order  sentence.  If  P  is  a  first-order  sentence,  then  P(t)  means  S  1 — P.)  In  words: 
the  state  delta  is  true  at  time  tQ  if  for  every  later  t  at  which  P  is  true,  and  for  which  the  environment 
has  not  changed  between  tQ  and  tv  there  is  a  still  later  t2  at  which  0  is  true  and  for  which  the 
interpretation  of  constant  symbols  outside  of  the  modification  list  has  not  changed  between  t1  and  t2. 

Notice  that  the  calculation  of  Q,  ,  is  postponed  until  O  is  first  order.  This  is  so  that  the  time  of  the 

1 1  2J 

precondition  (tQ)  will  already  be  known.  For  example,  in 


(P,(.C),  Q1(Dc)A(P2(.c),  E2=>  02(Dc),M2)M1) 

the  two  Dc's  do  not  refer  to  the  same  object. 


3.  SOME  FACTS 

The  following  are  some  easily  verified  facts  about  state  deltas: 

1-  N  (Vt^t,,)  [(P,E=>O,M)(t0)  A  E£C[t^  ]-(P,E-*Q.M)(t1)] 

That  is,  if  a  state  delta  is  true  at  tQ  and  the  environment  does  not  change  through  t,.  then 
the  state  delta  is  true  at  t1 . 

2.  1=  ECE'  A  MCM'  A  V  t(P'(t)  -  P(t))  A  V  t(Q(t)  —  Q'(t))  -  V  t((P.E=»Q,M)(t)  - 
(P;E'=»Q:M')(t)) 

That  is,  enlarging  the  environment  and  modification  list,  strengthening  the  precondition, 
and  weakening  the  postcondition  preserve  satisfaction. 

3.  N=Vt[(P,B=»Q.0)(t)  =  (P(t)  —  CXt))]: 

in  particular,  f=Vt[(Vx(x  =  x),n=>P.0){t)  =  P(t)]. 

4.  NVt[(P,0=»Q.8)(t)  =(Vt1>t)(P(t1)  — (3t2  >t,)0(t2))]. 

5.  f=Vt[(P,n=>Q.Q)(t)  =  (P(t)  -  Ot^OOtt,))]. 

6.  f=Vt[(P,0=>Q,0)(t)  =  (Vt,  >  t)(P( t,)  -  0(1,))] 

7.  ^Vt[((P.E=»PrM)(t)  A  (Vt,  >t)(EC  C[M  j-fPvO-M^O.MJd,)))  -  (P.E=>Q.M)(t)]: 
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in  particular: 

8.  N  (Vt)  [(P,n=>QrM)(t)  A  (Qv  Q-M=>Q2,  M)(t)  A  .  .  .  A(Q  «-M=*Qn,  M)(t)  - 
(P,fi=>Qn,  M)(t)]. 

9-  N  (Vt)[(P1,E1^Q1.  Mn)  A  (P2,  E2=>Q2,  M2)  -  (P,  VP2,  E1UE2=>01  VQ2, 
in  particular, 

10. 1=  (Vt)  [(PAP',  E=*Q,M)  A  (PA-P',  E=>Q,M)  -  (P,E=>Q,M)]. 

11.  (P1,E=>(P2,Q=>Q,M),0)  -  (P1&P2,E=>Q,M) 

(Instead  of  0  it  is  sufficient  to  have  any  subset  of  M  disjoint  from  the  places  affecting  P 
and  instead  of  0  any  set  at  all  will  suffice.) 

12.  If  O  is  first  order  and  c<tM,  then 

N(Vt)[(P,E=>Q,M)(t)=(P,E=>Q'.M)(t)] 

where  Q'  is  obtained  from  Q  by  replacing  all  occurrences  of  Dc  by  .c  (and  leaving 
occurrences  of  .c  as  they  are). 

Thus,  for  example,  a  first-order  Q,  interpreted  as  a  state  delta,  is  (Vx(x  =  x),fi=>  0,0)  by  3, 
and  thus  by  12,  every  occurrence  of  □  in  Q  is  interpreted  as  .  (dot). 

Now  we  state  a  general  induction  principle  which  can  be  used  to  derive  one  state  delta 
from  another: 

13.  Let  R(x,y)  be  a  well-founded  partial  order,  and  EDM  =  0. 

N=  (Vt)  [(QA3xR(x,.c),E=9-  QAR(.c,Dc),M)(t)  -*  (QA3xR(x,.c),E=>  QA-i3xR(x,. 

•C).M)(t)]. 

4.  TEMPORAL  POWER  OF  STATE  DELTAS 

First,  let  us  make  a  short  comparison  with  some  of  the  operators  of  classical  temporal  logic.  While 
at  first  it  may  seem  as  though  state  deltas  can  only  claim  that  at  some  time  in  the  future  the  desired 
situation  will  be  attained,  much  more  can  be  stated  through  proper  use  of  the  environment  and 
modification  lists. 

For  example, 

"Q  will  always  be  true  in  the  future"  is 

(True,0  =>  0,0). 
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Let  us  examine  "P  is  true  until  Q."  If  the  set  of  places  P  depends  on,  Qp,  is  disjoint  from  those  of  Q, 
flQ,  then  we  can  write 

P&(True,S2  =*  O,  fiQ). 

However,  it  seems  impossible  if  P  and  O  have  places  in  common,  since  the  only  obvious  way  to  make 
sure  P  stays  true  is  to  make  its  places  unmodifiable.  But  then  that  restricts,  or  prohibits,  Q's 
changing. 

The  following  question  also  arises:  How  does  one  know  in  (P,E=»Q,M)  when  the  postcondition  time 
has  arrived?  One  may  know  there  is  a  time  in  the  future  when  the  output  will  be  ready,  but  how  does 
one  know  when  to  look? 

We  can  solve  this  problem  by  adding  an  auxiliary  place  SIGNAL  to  the  language.  The  following 

nested  state  delta  guarantees  that  if  you  look  at  the  state  when  SIGNAL  is  ON  (assuming  it  is  OFF  at 

the  time  of  the  precondition),  Q  will  be  true: 

(P,E=>Q&(True,0=*  SIGNAL  =  ON, (SIGNAL)), M). 

Thus,  Q  becomes  true  sometime,  and  then  with  Q  held  constant  SIGNAL  becomes  ON.  Notice  that 
SIGNAL  cannot  become  ON  between  P  and  O  since  it  is  not  a  member  of  M. 
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